The Industry

I Hate Passwords

I honestly hate passwords. It seems like every site that I register with has some slightly different rules for what constitutes an acceptable password. Having different passwords drives me crazy because my brain can remember things like phone numbers, but passwords seem to elude my memory.

And now I have been reading that the rules on the various sites having to do with password safety are largely in vain anyway since it’s now pretty easy to crack the kinds of passwords that most sites require you to create. I suspect that these sites all know this, but they put you through the effort to come up with an acceptable password to give you a false sense of security.

We all know what good passwords are supposed to be. They must be eight or more characters, with a mix of upper and lower case letters, numbers, and symbols. They should not include any word used in a dictionary including silly substitutions like using ‘!’ instead of the letter L. And you are not supposed to repeat passwords on multiple sites.

And so we sit at each new web site (and it seems that everybody wants you to create a password these days) and we cook up some dumb new combination that we are never ever going to remember just so we can shop for tea or read a news article. We try combinations until the site takes it and also shows us a nice green bar to prove that our new password is a safe one.

But this is more or less a waste of time. The bad guys who crack passwords also know all of these rules and the rules actually make it easier for them to crack your password. It doesn’t seem like somebody ought to be able to crack a password like aN34%6!bJ, but they can, and fairly easily. (Have I mentioned yet that I also hate sites that make me pick stupid passwords?)

Of course, it’s even easier to crack the really stupid passwords. For yet another year ‘123456’ is still the most commonly found password followed closely by ‘password’. But let’s face it, anybody using those is not really caring too much if they get hacked or if somebody deletes their Pinterest page or sees the news articles they have saved.

So how do hackers crack our passwords so easily? They get a surprisingly large number of them directly from people through phishing. People type their passwords into fake websites all of the time and then are dumb enough to also type in credit card numbers or bank account numbers when asked. There is not much more advice about that other than – don’t do it! You are much better off if you are like me and you don’t even know your bank account number! (But luckily my wife does).

But hackers also get millions of passwords by breaking into commercial sites and stealing their password and account files. This lets hackers get access to huge numbers of passwords at the same time. Almost all websites save passwords using an encryption algorithm. A simple password like dog might be saved as a 30-digit mix of letters and numbers called a ‘hash’. When web sites are hacked and the bad guys make off with millions of passwords, they don’t get your actual passwords, but a file of these encrypted hashes.

Hackers then attack the pile of hashes with computers that can look at billions of cracking attempts per second as they try to reverse engineer the algorithm used to create the hashes. They start with all of the easy-to-crack passwords like ‘123456’ which will turn up multiple times in the pile. Eventually they figure out the algorithm and then they can figure out many of the passwords in the file they have stolen.

I say many passwords, because it turns out that there is one set of passwords that is harder to crack than most. It comes from stringing together long chains of nonsense words that you can remember but that are not commonly used together. For instance if your password is ‘frogflatchevydog’ to memorialize the day you ran over a frog and then your dog sniffed it, then such a password is much harder to crack than a normal one. No password is impossible to crack, but the amount of effort required to crack the above password might take somebody a hundred hours more effort than cracking easier passwords, and it’s likely that nobody will put in the effort unless they really want you specifically.

Keep in mind that you can’t string together any common phrases that can be tested easily. For example, allmimsyweretheborogoves’ is relatively easy to crack because it’s all over the Internet since many people love Lewis Carroll books. Cracking programs search for billions of common phrases that they find on the Internet, meaning you probably can’t now use my great password suggestion about the flat frog.

Hopefully we are soon moving to a day when we won’t need any passwords. There has to be something better, which would be a combination of multiple biometric readings from your own body. Hackers have already shown that they can crack a one-layer biometric password like a fingerprint. But it gets mathematically nearly impossible to crack a system that uses multiple biometric readings simultaneously. So the ultimate password is eventually going to be you. That is a password I can finally like.

Current News

The Password is You

There is a lot of progress being made with biometrics and it should not be too many years until biometric techniques are the preferred way to authenticate transactions. The field has been around for many years, but the historical biometric technologies have been too expensive for widespread use. Today I report on some of the latest in biometric technology.

Behaviometrics. This is a new field that can keep track of people by their behavioral traits. For example, you can track computer users using their typing characteristics – everybody has a certain cadence and rhythm when typing and Behaviosec of Palo Alto has developed a technology that can verify that the person behind the keyboard is who they are supposed to be.

This is certainly one more security tool and is a good idea when giving people access to sensitive data. I do see a flaw in that people’s typing rhythms can change due to injury or other reasons, but this provides another general tool to know who is accessing your network.

Directed Advertising. Tesco, the world’s largest retail store chain is introducing facial recognition at gas pumps for some of its stores. The facial recognition will determine who you are (if you are a regular customer) or classify you by sex and age and then will display ads aimed at you. There are also billboards in Japan that change message depending on who is walking past. These are early steps in using biometrics to pinpoint advertising aimed directly at specific customers.

Facial Recognition for Payments. China will be broadly implementing a facial recognition system that will become the preferred method for authorizing payments at stores and other places. This should be deployed during 2015 and the goal is that a person’s face becomes their PIN. Validation is supposed to be nearly instantaneous and will speed up payments while also reducing fraud.

Retina Scanning App. Very high-end security systems have used retina scans for many years. But EyeVerify of Kansas City, a leader in this field has found a way to use a smartphone to verify a user by quick eye scan. This can be a way to unlock your phone, but the firm is working towards making this a way for banks to verify customers and transactions.

Pre-Crime Biometrics. The Israeli firm BioCatch uses a technology that builds a profile of users to identify questionable behavior. They build a database of where you shop, what you buy, etc. to be able to spot when somebody is doing something unusual. Banks have been doing this to some extent for years but this new technology develops a far more detailed profile than banks have used in the past to spot fraud.

Fingerprint Verification. Apple introduced fingerprint verification in 2013 to allow users to use lock or unlock the phone or sensitive content. Samsung is now working with PayPal to introduce similar technology in 25 countries to verify payment transactions.

India going Biometric. A large portion of India’s population has been undocumented in that there is no equivalent there of a social security number. So the country has launched a program and has gathered fingerprints, retina scans and photographs of 500 million of its citizens in order to develop an easier way for people to be identified. They are working towards having biometrics be the normal way to identify people and are also going to make the database available to merchants for purchase verification.

Summary. One has to wonder if the methods being used in Chana and India, for example, would fly in the West. For instance, while the Chinese systems of identifying everybody by facial recognition can make it easier there for people to buy things, it also gives the government a way to closely track where everybody goes in public. Every cash register becomes a tool for the state to track people’s movements and one has to wonder if most of the world is ready for that level of surveillance.

Certainly there is a lot of room for improvement in security and Americans in recent polls have said that identity theft is one of their largest concerns. So one can imagine that technologies like using fingerprints on a smartphone app might be a good way to add more security for purchases.

I know I would not be comfortable with directed ads where a store flashes ads meant specifically for me. We know that Google and others have built detailed databases about us, but the idea of having that shoved in your face when these databases are matched to facial recognition feels like going too far. I would probably avoid a store that flashed an ad aimed directly at me. But everybody is different and I suspect my wife would love stores to present her with specials as she shopped. This is already being done today to some extent using your cellphone’s ID and facial recognition expands this to everybody and just not those using smartphones.